Barcelona restaurant avenges bad reviews by revealing customers' personal data and sexual orientation

The Spanish data protection agency (AEPD) has sanctioned a Barcelona restaurant for retaliating against negative reviews by revealing the customers' personal data, such as full name and sexual orientation, among other details.

The conflict dates back to 7 May 2024, when AEPD received two complaints against Pinkgreen Barcelona, SL. The customers stated that the establishment had overstepped legal boundaries by responding to their Google reviews.

According to the AEPD resolution, both users posted negative reviews (in one case, even without a comment, simply with one star), after which the restaurant responded by making personal data public.

One of the complainants says that, despite the profile "only including the first name, without surname or identifying photo", the company responded by revealing the customer's "full name, the university they attended, their sexual orientation and their partner's name". Furthermore, it included the data of the two people who had accompanied the customer.

The second complaint describes a similar situation, denouncing a "completely disproportionate" response that also exposed identifying information.

The AEPD subsequently confirmed that these responses remained visible months later, prolonging the effects of the reported conduct.

During the proceedings, the company claimed it was unable to defend itself, stating that it had not received prior notification. However, the ruling rejects this argument, stating that the AEPD made attempts to notify the company both electronically and by mail, but these failed due to reasons attributable to the company. The agency says that the sanctioning procedure was duly notified, subsequently granting a period for submitting appeals.

Another key element of Pinkgreen's defence was that the published data came from public social media profiles. The AEPD also rejects this argument. "The fact that this data appears on social media (...) does not imply that anyone can collect it from the internet and publish it without any legitimate basis," the authorities say. In other words, the accessibility of the information does not authorise its indiscriminate reuse.

From a legal standpoint, the ruling states that the restaurant's actions constitute "processing of personal data", as they involved its dissemination on an open platform. The AEPD notes that this processing must have a legitimate basis in accordance with the GDPR, which was not the case here.

The publication of data relating to the sexual orientation of one of the individuals concerned is particularly serious. This type of information is especially protected by European regulations. The ruling clarifies this: "The processing of personal data revealing (...) data relating to sexual life or sexual orientation is banned." The AEPD concludes that none of the exceptions that would allow this ban to be lifted apply.

According to the AEPD, the restaurant's responses makes it "clear that they intended to publish this information". This circumstance aggravates the infraction, as it demonstrates the use of the information for retaliatory purposes.

As a result, the AEPD has imposed a total fine of 4,000 euros: 2,500 for violating the GDPR and 1,500 for infringing the article that governs the lawfulness of processing. The AEPD has also ordered the company to delete the published data and cease processing it within ten days.

The resolution concludes by reiterating that the dissemination of data online implies a loss of control for those affected, as it allows "unrestricted access to information by third parties". It serves as a reminder that, even in contexts of commercial or reputational conflict, legal limits regarding privacy remain strict.